Researchers have highlighted that the actively exploited Windows deceiving flaw fixed by Microsoft last week has existed for more than two years.

The tech giant’s August 2020 Patch Tuesday updates dealt with 120 flaws, including an Internet Explorer zero-day that has been chained with a Windows vulnerability in attacks connected to the cybercriminal named DarkHotel, and a Windows spoofing issue tracked as CVE-2020-1464.

Microsoft terms CVE-2020-1464 as a spoofing flaw pertaining to Windows wrongly authenticating file signatures. A hacker can abuse the flaw to sidestep security features and load inappropriately signed files.

Researchers evaluated CVE-2020-1464 after the tech giant issued its patch and observed that it’s probably a flaw that has been known for years and which Microsoft has been declining to correct.

“Microsoft Windows keeps the Authenticode signature valid after appending any content to the end of Windows Installer (.MSI) files signed by any software developer. This behaviour can be exploited by attackers to bypass some security solutions that rely on Microsoft Windows code signing to decide if files are trusted. The scenario is especially dangerous when the appended code is a malicious JAR because the resulting file has a valid signature according to Microsoft Windows and the malware can be directly executed by Java,” Bernardo Quintero, founder of VirusTotal, explained in the January 2019 blog post.

“[The] way Microsoft had handled the vulnerability report seems rather strange,” Be’ery noted. “It was very clear to everyone involved, Microsoft included, that GlueBall is indeed a valid vulnerability exploited in the wild. Therefore, it is not clear why it was only patched now and not two years ago.”

“A security update was released in August. Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected,” said a Microsoft spokesperson.

Leave a Reply

Your email address will not be published. Required fields are marked *